An aggregate of all of GoVanguard’s InfoSec & Cybersecurity related Posts, News, Threats and Data Feeds.

image
An out-of-bounds read vulnerability in the Squirrel programming language lets attackers break out of sandbox restrictions and execute arbitrary code within a Squirrel virtual machine (VM), thus giving a malicious actor complete access to the underlying machine. Given where Squirrel lives – in games and embedded in the internet of things (IoT) – the bug potentially endangers the millions of monthly gamers who play video games such as Counter-Strike: Global Offensive and Portal 2, as well as cloud services such as the Twilio Electric Imp IoT platform, with its ready-to-use open-source code library. Squirrel is an open-source, object-oriented programming language used by video games and cloud services for customization and plugin development. It’s a lightweight scripting language that suits the size, memory bandwidth and real-time requirements of applications like video games and embedded systems. Both of the games mentioned above use the Squirrel Engine game library to enable anyone to create custom game modes and maps. Tracked as CVE-2021-41556, the Squirrel out-of-bounds read vulnerability can be exploited when a Squirrel Engine is used to execute untrusted code, as it is with Twilio Electric Imp or certain video games. The vulnerability was discovered by SonarSource and detailed in a post published on Tuesday. In that writeup, vulnerability researchers Simon Scannell and Niklas Breitfeld suggested a real-world scenario in which an attacker could embed a malicious Squirrel…

Source

image
A previously unseen advanced persistent threat (APT) group dubbed Harvester by researchers is attacking telcos, IT companies and government-sector targets in a campaign that’s been ongoing since June. According to a Symantec analysis, the group sports a veritable cornucopia of advanced and custom tools, and it’s on a quest to carry out espionage activities in Afghanistan and elsewhere in that region. As of October, the campaign was still ongoing, looking to dig up a bounty of sensitive data. A Sharp Set of Tools Harvester has invested in a range of tools for scything through organizations’ defenses, Symantec found, including the “Graphon” custom backdoor. Graphon is deployed alongside a tool for gathering screenshots and downloaders for other malware and tools – offering a host of remote-access and data-exfiltration capabilities. “We do not know the initial infection vector that Harvester used to compromise victim networks, but the first evidence we found of Harvester activity on victim machines was a malicious URL,” according to Symantec’s writeup. “The group then started to deploy various tools, including its custom Graphon backdoor, to gain remote access to the network.” The APT also attempts to avoid notice by using legitimate CloudFront and Microsoft infrastructure for its command-and-control (C2) activity, in a bid to go unnoticed amidst legitimate network traffic. The primary tools used by Harvester are as follows: Graphon: A custom backdoor that uses Microsoft…

Source

image
The Lyceum threat group has resurfaced, this time with a weird variant of a remote-access trojan (RAT) that doesn’t have a way to talk to a command-and-control (C2) server and might instead be a new way to proxy traffic between internal network clusters. Kaspersky’s Mark Lechtik – senior security researcher at the company’s Global Research & Analysis Team (GReAT) – said in a Monday post that the team has identified a new cluster of Lyceum activity that’s focused on two entities in Tunisia. In a paper (PDF) presented earlier this month at the Virus Bulletin conference, Lechtik and fellow Kaspersky researchers Aseel Kayal and Paul Rascagneres wrote that the threat actor has attacked high-profile Tunisian organizations, such as telecoms or aviation companies. That fits into the group’s target list. Lyceum has been active since as early as April 2018, when it attacked telecoms, and critical infrastructure in Middle Eastern oil-and-gas organizations. Lyceum treads lightly but carries a big stick: “All the while it has kept a low profile, drawing little attention from security researchers,” the trio of researchers wrote. The Lyceum group (aka Hexane) was first exposed in 2019 by Secureworks, which spotted the group targeting Middle Eastern energy firms and telecoms with malware-laced spearphishing emails. Back then, Lyceum was using various PowerShell scripts and a novel .NET-based remote-access trojan (RAT) called DanBot, which deployed post-intrusion tools to spread across…

Source

image
For those in the industry, it comes as no surprise that many cybersecurity programs have been impacted by loss of revenue during the pandemic. From cutting tooling and feed budgets to reduction in staff, it’s been challenging at best. In a recent SANS 2021 survey, “Threat Hunting In Uncertain Times,” we were shown that 11 percent of organizations have had their threat-hunting and intelligence programs impacted by the pandemic, with 12 percent of the organizations polled stopping their hunting programs altogether. With ransomware affiliate actions on the rise and organizations constantly under the target of business email compromise (BEC) scams, this is a horrible time to be stuck with a shrinking budget. In light of this, we’re going to go through some broad suggestions and checklists for how to do 80 percent of what you need to do on the cyberintelligence front, at just 20 percent of the typical cost for an enterprise program. Wrap in Open-Source Resources Luckily, as security vendors have matured the capability of enterprise products, so too has the maturity of community projects grown. Couple those free and open technologies with the dedicated time of an analyst or researcher, and you have a viable alternative for a low-budget team. Stress must be placed on viable in this case, and it’s important to note that you should bring up with your leadership the fact that managing your own tooling comes with the price of human hours. Many of the free and open-source tools are not…

Source

image
Federal authorities are warning businesses to shore up cybersecurity defenses as it carefully monitors the reemergence of the DarkSide ransomware gang, believed responsible for the crippling Colonial Pipeline attack in May 2021. The ransomware-as-a-service gang has regrouped under the moniker BlackMatter, according to a joint advisory posted Monday by the Cybersecurity and Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA). The joint advisory also details what it believes are DarkSide tactics used by the BlackMatter group since they began tracking the revamped criminal organization in July 2021. Mitigations and Recommendations The advisory offers cyber defense tips and potential mitigations for attacks. “Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network,” according to the advisory. “BlackMatter then remotely encrypts the hosts and shared drives as they are found.” Because of its tactic to use stolen credentials to breach networks, some of the primary mitigations for defending against BlackMatter attacks are related to how organizations handle user authentication and thus are practical fixes. The agencies recommend enforcing strong passwords and implementing MFA across networks to avoid allowing compromise with stolen credentials. Using the detection signatures…

Source

It was dicta that launched a thousand provisions. In a 2010 decision adjudicating the leadership structure of counsel representing the plaintiff stockholder class challenging a controller stockholder merger, Vice Chancellor J. Travis Laster of the Delaware Court of Chancery proposed that “if boards of directors and stockholders believe that a particular forum would provide an efficient and value-promoting locus for dispute resolution, then [Delaware] corporations are free to respond with charter provisions selecting an exclusive forum for intra-entity disputes.”[1] And respond they did. Facing ubiquitous, multi-forum deal litigation, public Delaware corporations began adopting so-called exclusive forum provisions to require various types of “intra-entity disputes”—typically claims that directors breached their fiduciary duties in approving a sale transaction, often made in the wake of its announcement—be brought exclusively in Delaware courts.

Over the ensuing decade-plus since Vice Chancellor Laster’s dicta, the arms race between stockholder plaintiffs and corporate defendants has shaped these provisions into a customary boilerplate form that now encompasses certain U.S. securities law claims.

DOWNLOAD FULL ARTICLE

Article first published in Deal Lawyers, September – October 2021 Issue.

The post United States: Recasting a Boilerplate Provision appeared first on Global Compliance News.

Source

image
The TA505 cybercrime group is whirring its financial rip-off machinery back up, pelting malware at a range of industries in what was initially low-volume waves that researchers saw spiral up late last month. They do bad things, but they’re so tricky that tracking them is a ton of fun, said Sherrod DeGrippo, vice president, Threat Research and Detection at Proofpoint. “Tracking TA505 is one of life’s guilty little pleasures,” she admitted. “They are a trailblazer in the world of cybercrime, regularly changing up their [tactics, techniques and procedures, or TTPs].” TA505, aka Hive0065, is a gang of cybercrooks involved in both financial swindles and state-sponsored actions. Proofpoint researchers describe the group as being “one of the more prolific actors” that they track. It’s behind the biggest spam campaigns the firm has ever seen: namely, distribution of the Dridex banking trojan. Proofpoint has also tracked the gang distributing Locky and Jaff ransomwares, the Trick banking trojan, and others “in very high volumes,” Proofpoint says. TA505, which actively targets a slew of industries – including finance, retail and restaurants – has been active since at least 2014. It’s known for frequent malware switchups and for driving global trends in criminal malware distribution. The most recent bout of campaigns is reminiscent of TA505’s activity from 2019 and 2020, but “it doesn’t lack for some intriguing, new elements,” DeGrippo said, including spiffed-up tools and exotic…

Source

image
In the age of remote work — where hybrid teams work out of offices, houses and coffee shops using a multitude of devices — presents challenges in terms of understanding who’s responsible for ensuring proper cyber-hygiene across the perimeter-less footprint. Suffice it to say that cybersecurity has become a massive headache for many organizations. It’s also a costly one, with the average breach carrying a price tag north of $4.2 million, according to IBM’s Cost of a Data Breach 2021 report. In addition to monetary considerations, companies that experience a breach also risk damaging their reputations and making headlines for the wrong reasons. The good news is that by taking a proactive approach to cybersecurity, understanding security roles and accountability, investing in the right tools, and following best practices — you can strengthen your organization’s security stance and protect your systems, data, and brand along the way. Who’s Responsible for Cybersecurity? Historically, leadership has largely been accountable for cybersecurity and has almost always viewed security as a cost center. In the age of escalating cyberattacks, that’s all changing. Today, security is _everyone’s _responsibility. If you’re aiming to protect yourself against threats, you will have a hard time accomplishing your goals unless every employee understands that security is a shared responsibility. At the same time, it’s important for security practitioners to understand the business needs at…

Source

image
A month ago, the FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) warned that state-backed advanced persistent threat (APT) actors are likely among those who’d been actively exploiting a critical flaw in a Zoho-owned single sign-on and password management tool since early August. At issue was a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus platform that could lead to remote code execution (RCE) and thus open the corporate doors to attackers who can run amok, with free rein across users’ Active Directory (AD) and cloud accounts. The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on (SSO) platform for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps (and their sensitive data) and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application that can act as a convenient point of entry to areas deep inside an enterprise’s footprint, for both users and attackers alike. In a recent Threatpost podcast, George Glass, head of threat intelligence at Redscan – a subdivision of the Kroll responder team that manages detection and response – said that the incident has worried the firm’s main clients, who are concerned that it could turn into a similar scenario to the the calamitous, widespread SolarWinds attacks in April. In the SolarWinds…

Source

image
Sinclair Broadcast Group, which owns hundreds of local television stations across the U.S., confirmed Monday that it has suffered a ransomware attack. The incident is disrupting its advertising operations, among other things, and spread to many of its owned TV affiliates over the weekend, knocking local broadcast feeds off the air. The cyberattack disrupted the company’s general and office operations and resulted in data exfiltration, according to the media group’s statement to the Securities and Exchange Commission (SEC): “On October 16, 2021, the company identified and began to investigate and take steps to contain a potential security incident. On October 17, 2021, the company identified that certain servers and workstations in its environment were encrypted with ransomware, and that certain office and operational networks were disrupted.” Sinclair is “actively managing” the fallout from the attack, it said, after implementing its incident-response plan. “The forensic investigation remains ongoing,” it added, explaining that it’s dealing with continuing disruption, including problems with provisioning local commercials at its TV stations. “Modern ransomware actors have learned to target an organization’s critical business systems as these need to be back online quickly and one of the easiest ways is to pay the ransom to obtain the key to decrypt those systems,” Jon Clay, vice president of threat intelligence at Trend Micro, said via email. “In this situation, targeting…

Source